Since few days I'm trying to generate/spoof new MTA serial. What I've already tr

1. Since few days I'm trying to generate/spoof new MTA serial. What I've already tried:
2.  
3. - Hooking WMI(it uses it for retrieving bios serial etc., but hooking doesn't change serial)
4. - Hooking DeviceIoControl (it uses it as well, for retrieving hard drive serial, seems to be called on each connect with the server) didn't work
5. - Hooking GetAdaptersInfo for MAC spoof - didn't work
6. - Hooking internal API function GetSerial (netc.dll) worked, the serial looked changed but when joining the server original serial was used(probably there's one more )
7. - Reinstalling GTA+MTA and hooking again in the hope it will change.
8.  
9. Additional info: the serial is also stored in the registry but it doesn't mean anything as the serial used in hand shakes is in memory.
10.  
11. Other possibilities:
12.  
13. - SID (generated uniquely on each new windows installation), there's a changer available http://www.stratesave.com/html/sidchg.html but I'm afraid to use it and prefer to do it without modifying my system. Some people tell their serial changed after upgrading/reinstalling their windows.
14. - The serial is stored somewhere on the hard-drive, or just a binary with hardware data.
15.  
16. Did you manage to reverse what is used to generate the serial/or where the serial is stored?
17.  
18. Netc.dll is injected in both Multi theft auto.exe and gta_sa.exe but 90% it's generated in gta_sa.exe
19.  
20. I'm doing it for purely educational purpose and not intend to hack on servers, as I'm just curious of the method but it's kept as a "secret" and knowledge only available to MTA staff.
21.  
22. They also have the driver FairplayKD.sys but I doubt it's generated there. It is a "sandbox".
23.  
24. The serial is an MD5 hash most probably (or not 128bits = 16 bytes) but I doubt advapi32.dll functions are used for that.
25.  
26.  
27.  
28. ---
29. Address Size Label
30. ------- ---- -----
31. .text:100192DB 0010 RIPEMD-128 InitState [32.le.16&]
32. .text:10021B19 0004 TEA1_DS [32.le.4]
33. .text:1003581D 0014 SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
34. .text:10106F61 0015 anti-debug: anti-VMWare [..21]
35. .text:1013B6BA 000C function where is handled the ZipCrypto password [32.le.12&]
36. .text:10151203 0008 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
37. .rdata:10271400 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
38. .rdata:103737C8 003E rfc3548 Base 64 Encoding with URL and Filename Safe Alphabet [..62]
39. .rdata:103737C8 0040 B64EncodeTable [..64]
40. .rdata:1037E0C8 0400 Adler CRC32 (0x191b3141) [32.le.1024]
41. .rdata:1037E4C8 0400 Adler CRC32 (0x01c26a37) [32.le.1024]
42. .rdata:1037E8C8 0400 Adler CRC32 (0xb8bc6765) [32.le.1024]
43. .rdata:1037FF60 0100 Zlib length_code [..256]
44. .rdata:10380060 0200 Zlib dist_code [..512]
45. .rdata:10380260 0074 zinflate_lengthExtraBits [32.le.116]
46. .rdata:103802D8 0078 zinflate_distanceExtraBits [32.le.120]
47. .rdata:103808B0 0074 Zlib base_length [32.le.116]
48. .rdata:10380928 0078 Zlib base_dist [32.le.120]
49. .rdata:103AA518 0011 anti-debug: IsDebuggerPresent [..17]
50. .rdata:103AAA5C 0015 Windows CryptAcquireContext [..21]
51. .rdata:103AAAB0 0010 Windows CryptCreateHash [..16]
52. .rdata:103AAAC2 000E Windows CryptHashData [..14]
53. .data:103AB058 0120 SHA224 [32.le.288&]
54. .data:103AB058 0020 SHA224_DS [32.le.32]
55. .data:103AB078 0020 SHA256 Initial hash value H (0x6a09e667UL) [32.le.32&]
56. .data:103AB078 0120 SHA256 [32.le.288&]
57. .data:103AB07C 0010 Crypton kp [32.le.16]
58. .data:103AB098 0040 Initial hash value H for SHA-384 and SHA-512 [64.le.64&]
59. .data:103AB098 02C0 SHA384 [64.le.704&]
60. .data:103AB0D8 0040 Initial hash value H for SHA-512 [64.le.64&]
61. .data:103AB0D8 02C0 SHA512 [64.le.704&]
62. .data:103AB118 0100 SHA256 Hash constant words K (0x428a2f98) [32.le.256]
63. .data:103AB218 0280 Hash constant words K for SHA-384 and SHA-512 [64.le.640]
64. .data:103ABC70 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
65. .tls:103E0007 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
66. ---
67.  
68. the serial is generated from "checksum" stored in the registry, it's not even md5(HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.5\Settings\general) value is named "cachechecksum".
69.  
70.  
71. Checksum looks like: 12CC2B5B:4B4552GGCCGGDF5FF:F4213
72.  
73. It is hashed with MD5: 540D6A2D8D207A67FF77D91D29EBB448
74.  
75. Part of the hash is prepended to the checksum and 2nd part of it is appended, the final value stored in registry looks like:
76.  
77. 540D6A2D8D207A6712CC2B5B:4B4552GGCCGGDF5FF:F4213FF77D91D29EBB448
78.  
79. The real serial shown in the console is simply this:
80. 12CC2B5B:4B4552GGCCGGDF5FF:F4213
81.  
82. But "obfuscated" a little bit(all characters are decreased by 1, : is replaced by 9)
83. 01BB1A4A93A3441FFBBFFCE4EE9E3102
84.  
85. As you should've been noticed it's not even hexadecimal
86.  
87. Spoofing the checksum works and the serial is changed. But still, it's not used in the connection phase. After removing the checksum the new checksum is added with RegSetValueExW. So we have to somehow trace the calls and find the origin... but it still ain't easy.
88.  
89. The question still remains the same: how the checksum is generated and from where does it come from.